





















@@ -91,20 +91,18 @@ describe("gateway auth", () => {
9191}
92929393it("resolves token/password from OPENCLAW gateway env vars", () => {
94-expect(
95-resolveGatewayAuth({
96-authConfig: {},
97-env: {
98-OPENCLAW_GATEWAY_TOKEN: "env-token",
99-OPENCLAW_GATEWAY_PASSWORD: "env-password",
100-} as NodeJS.ProcessEnv,
101-}),
102-).toMatchObject({
103-mode: "password",
104-modeSource: "password",
105-token: "env-token",
106-password: "env-password",
94+const auth = resolveGatewayAuth({
95+authConfig: {},
96+env: {
97+OPENCLAW_GATEWAY_TOKEN: "env-token",
98+OPENCLAW_GATEWAY_PASSWORD: "env-password",
99+} as NodeJS.ProcessEnv,
107100});
101+102+expect(auth.mode).toBe("password");
103+expect(auth.modeSource).toBe("password");
104+expect(auth.token).toBe("env-token");
105+expect(auth.password).toBe("env-password");
108106});
109107110108it("resolves the active shared token auth only", () => {
@@ -184,69 +182,61 @@ describe("gateway auth", () => {
184182});
185183186184it("keeps gateway auth config values ahead of env overrides", () => {
187-expect(
188-resolveGatewayAuth({
189-authConfig: {
190-token: "config-token",
191-password: "config-password", // pragma: allowlist secret
192-},
193-env: {
194-OPENCLAW_GATEWAY_TOKEN: "env-token",
195-OPENCLAW_GATEWAY_PASSWORD: "env-password",
196-} as NodeJS.ProcessEnv,
197-}),
198-).toMatchObject({
199-token: "config-token",
200-password: "config-password", // pragma: allowlist secret
185+const auth = resolveGatewayAuth({
186+authConfig: {
187+token: "config-token",
188+password: "config-password", // pragma: allowlist secret
189+},
190+env: {
191+OPENCLAW_GATEWAY_TOKEN: "env-token",
192+OPENCLAW_GATEWAY_PASSWORD: "env-password",
193+} as NodeJS.ProcessEnv,
201194});
195+196+expect(auth.token).toBe("config-token");
197+expect(auth.password).toBe("config-password"); // pragma: allowlist secret
202198});
203199204200it("treats env-template auth secrets as SecretRefs instead of plaintext", () => {
205-expect(
206-resolveGatewayAuth({
207-authConfig: {
208-token: "${OPENCLAW_GATEWAY_TOKEN}",
209-password: "${OPENCLAW_GATEWAY_PASSWORD}",
210-},
211-env: {
212-OPENCLAW_GATEWAY_TOKEN: "env-token",
213-OPENCLAW_GATEWAY_PASSWORD: "env-password",
214-} as NodeJS.ProcessEnv,
215-}),
216-).toMatchObject({
217-token: "env-token",
218-password: "env-password",
219-mode: "password",
201+const auth = resolveGatewayAuth({
202+authConfig: {
203+token: "${OPENCLAW_GATEWAY_TOKEN}",
204+password: "${OPENCLAW_GATEWAY_PASSWORD}",
205+},
206+env: {
207+OPENCLAW_GATEWAY_TOKEN: "env-token",
208+OPENCLAW_GATEWAY_PASSWORD: "env-password",
209+} as NodeJS.ProcessEnv,
220210});
211+212+expect(auth.token).toBe("env-token");
213+expect(auth.password).toBe("env-password");
214+expect(auth.mode).toBe("password");
221215});
222216223217it("resolves explicit auth mode none from config", () => {
224-expect(
225-resolveGatewayAuth({
226-authConfig: { mode: "none" },
227-env: {} as NodeJS.ProcessEnv,
228-}),
229-).toMatchObject({
230-mode: "none",
231-modeSource: "config",
232-token: undefined,
233-password: undefined,
218+const auth = resolveGatewayAuth({
219+authConfig: { mode: "none" },
220+env: {} as NodeJS.ProcessEnv,
234221});
222+223+expect(auth.mode).toBe("none");
224+expect(auth.modeSource).toBe("config");
225+expect(auth.token).toBeUndefined();
226+expect(auth.password).toBeUndefined();
235227});
236228237229it("marks mode source as override when runtime mode override is provided", () => {
238-expect(
239-resolveGatewayAuth({
240-authConfig: { mode: "password", password: "config-password" }, // pragma: allowlist secret
241-authOverride: { mode: "token" },
242-env: {} as NodeJS.ProcessEnv,
243-}),
244-).toMatchObject({
245-mode: "token",
246-modeSource: "override",
247-token: undefined,
248-password: "config-password", // pragma: allowlist secret
230+const auth = resolveGatewayAuth({
231+authConfig: { mode: "password", password: "config-password" }, // pragma: allowlist secret
232+authOverride: { mode: "token" },
233+env: {} as NodeJS.ProcessEnv,
249234});
235+236+expect(auth.mode).toBe("token");
237+expect(auth.modeSource).toBe("override");
238+expect(auth.token).toBeUndefined();
239+expect(auth.password).toBe("config-password"); // pragma: allowlist secret
250240});
251241252242it("authorizes matching token auth when req is missing socket", async () => {
@@ -298,11 +288,9 @@ describe("gateway auth", () => {
298288authConfig: { mode: "none", token: "configured-token" },
299289env: {} as NodeJS.ProcessEnv,
300290});
301-expect(auth).toMatchObject({
302-mode: "none",
303-modeSource: "config",
304-token: "configured-token",
305-});
291+expect(auth.mode).toBe("none");
292+expect(auth.modeSource).toBe("config");
293+expect(auth.token).toBe("configured-token");
306294307295const res = await authorizeGatewayConnect({
308296 auth,
@@ -646,65 +634,61 @@ describe("trusted-proxy auth", () => {
646634});
647635648636it("accepts trusted-proxy HTTP requests from allowed origins", async () => {
649-await expect(
650-authorizeHttpGatewayConnect({
651-auth: {
652-mode: "trusted-proxy",
653-allowTailscale: false,
654-trustedProxy: trustedProxyConfig,
655-},
656-connectAuth: null,
657-trustedProxies: ["10.0.0.1"],
658-req: {
659-socket: { remoteAddress: "10.0.0.1" },
660-headers: {
661-host: "gateway.example.com",
662-origin: "https://control.example.com",
663-"x-forwarded-user": "nick@example.com",
664-"x-forwarded-proto": "https",
665-},
666-} as never,
667-browserOriginPolicy: {
668-requestHost: "gateway.example.com",
637+const res = await authorizeHttpGatewayConnect({
638+auth: {
639+mode: "trusted-proxy",
640+allowTailscale: false,
641+trustedProxy: trustedProxyConfig,
642+},
643+connectAuth: null,
644+trustedProxies: ["10.0.0.1"],
645+req: {
646+socket: { remoteAddress: "10.0.0.1" },
647+headers: {
648+host: "gateway.example.com",
669649origin: "https://control.example.com",
670-allowedOrigins: ["https://control.example.com"],
650+"x-forwarded-user": "nick@example.com",
651+"x-forwarded-proto": "https",
671652},
672-}),
673-).resolves.toMatchObject({
674-ok: true,
675-method: "trusted-proxy",
676-user: "nick@example.com",
653+} as never,
654+browserOriginPolicy: {
655+requestHost: "gateway.example.com",
656+origin: "https://control.example.com",
657+allowedOrigins: ["https://control.example.com"],
658+},
677659});
660+661+expect(res.ok).toBe(true);
662+expect(res.method).toBe("trusted-proxy");
663+expect(res.user).toBe("nick@example.com");
678664});
679665680666it("keeps origin-less trusted-proxy HTTP requests working", async () => {
681-await expect(
682-authorizeHttpGatewayConnect({
683-auth: {
684-mode: "trusted-proxy",
685-allowTailscale: false,
686-trustedProxy: trustedProxyConfig,
687-},
688-connectAuth: null,
689-trustedProxies: ["10.0.0.1"],
690-req: {
691-socket: { remoteAddress: "10.0.0.1" },
692-headers: {
693-host: "gateway.example.com",
694-"x-forwarded-user": "nick@example.com",
695-"x-forwarded-proto": "https",
696-},
697-} as never,
698-browserOriginPolicy: {
699-requestHost: "gateway.example.com",
700-allowedOrigins: ["https://control.example.com"],
667+const res = await authorizeHttpGatewayConnect({
668+auth: {
669+mode: "trusted-proxy",
670+allowTailscale: false,
671+trustedProxy: trustedProxyConfig,
672+},
673+connectAuth: null,
674+trustedProxies: ["10.0.0.1"],
675+req: {
676+socket: { remoteAddress: "10.0.0.1" },
677+headers: {
678+host: "gateway.example.com",
679+"x-forwarded-user": "nick@example.com",
680+"x-forwarded-proto": "https",
701681},
702-}),
703-).resolves.toMatchObject({
704-ok: true,
705-method: "trusted-proxy",
706-user: "nick@example.com",
682+} as never,
683+ browserOriginPolicy: {
684+ requestHost: "gateway.example.com",
685+ allowedOrigins: ["https://control.example.com"],
686+},
707687});
688+689+expect(res.ok).toBe(true);
690+expect(res.method).toBe("trusted-proxy");
691+expect(res.user).toBe("nick@example.com");
708692});
709693710694it("rejects request from untrusted source", async () => {
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。